Steganographic access controls

ABSTRACT

Various features described herein may allow an authorized user to provide a guest with access to a secured location through use of an encoded image containing steganographically encoded access information. The encoded access information may be recognizable by a security system, and the security system may grant access to the secured location when the encoded image is presented to the security system. The authorized user may request the generation of the encoded image on an authorized computing device, and the encoded image may be provided to the guest on a guest computing device. When a monitoring device associated with the security system captures the encoded access information, the security system may, for example, open a door at the secured location.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a continuation of U.S. patent application Ser. No.16/570,629 filed Sep. 13, 2019, which is a continuation of U.S. patentapplication Ser. No. 15/405,611 filed Jan. 13, 2017 (now U.S. Pat. No.10,467,399), which is a continuation of U.S. patent application Ser. No.14/290,318, filed May 29, 2014 (now U.S. Pat. No. 9,589,124), which arehereby incorporated by reference in their entireties.

BACKGROUND

Modern homes may employ security systems to secure the premises bydetecting and deterring unauthorized access to the home. However, thesehomes continue to use physical keyed locks to control access into thehome. If a homeowner wishes to allow a guest access to the home whilethe homeowner is away, the homeowner may hide a key near the home andtell the guest where it is located. This suffers from numerousdownsides, such as the risk that thieves or other unauthorized peoplemay locate the hidden key and enter the home. A further downside is thatthe guest's access cannot be removed without relocating the key, and theguest may take the key and retain access to the home until the locks arechanged at great cost to the homeowner. These and other shortcomings areaddressed by the present disclosure.

SUMMARY

The following summary is for illustrative purposes only, and is notintended to limit or constrain the detailed description.

Some of the features described herein may allow an authorized user toprovide a guest with access to a secured location through use of anencoded image containing steganographically encoded access information.The encoded access information may be recognizable by a security system,and the security system may grant access to the secured location whenthe encoded image is presented to the security system. The authorizeduser may request the generation of the encoded image on an authorizedcomputing device, and the encoded image may be provided to the guest ona guest computing device. When a monitoring device associated with thesecurity system captures the encoded access information, the securitysystem may grant access to the secure location by, for example, openinga door at the secured location.

Steganographic techniques generally involve encoding information withina message, file, or image. The encoded information may be included in“plain sight,” but encoded in such a way that an observer would beunlikely to notice the encoded information. For example, information canbe steganographically encoded in an image by adjusting pixels of theimage to include the information. If a receiver is aware of how theinformation was encoded in the image, the receiver may be able toextract the encoded information.

In some embodiments, a method is provided where a base image is receivedfrom a first user. A first portion of the base image may be encoded withaccess information, thereby generating an encoded image. The accessinformation may be steganographically encoded in the encoded image. Theencoded image may be transmitted to a second user. A monitoring deviceat a secured location may capture a display of the encoded image in acaptured image. Access information in the captured image may berecognized and the method may grant access to the secured location basedon the access information.

In some embodiments, one or more access restrictions for the second usermay be received, for example, from the first user. The one or moreaccess restrictions may be steganographically encoded in one or moresecond portions of the encoded image. In some embodiments, the secondportions may be different from the first portion. The accessrestrictions may be recognized in the captured image and access to thesecure location may be granted based on the access restrictions.

In some embodiments, a security database associated with the securedlocation may store the access information, and the access informationmay be associated with one or more access restrictions including time ofday restrictions, weekday restrictions, number of uses permitted, and/orauthentication levels. The security database may further store the baseimage and/or the encoded image.

Embodiments may further involve receiving an identifier of the seconddevice and access to the secure location may be granted based on theidentifier. For example, access by a specific encoded image may belimited to a specified device identifier and granting access to thesecured location may be based on the identifier of the second devicematching the specified device identifier. A security system associatedwith the secured location may be notified of one or more accessrestrictions, and the monitoring device may be activated based on theaccess restrictions.

In some embodiments, a first device of the first user may be configuredto capture the base image using a camera responsive to a request by thefirst user to create the encoded image. Various criteria may be used todetermine whether the base image is suitable for steganographicallyencoding access information as described herein, and the first user maybe prompted to capture another base image if an initial base image doesnot satisfy the criteria.

In some embodiments, an access notification may be generated in responseto recognizing the access information, and the access notification maybe provided to the first user or any other authorized user. The accessnotification may include the captured image, the encoded image, and/orthe base image. The method may further capture an identifying image oridentifying biometric information of the second user, such as afingerprint. The identifying information may be used to generate anaccess record that may be stored in a security database or provided tothe first user.

In some embodiments, the receiving, encoding, and recognizing steps areperformed by a security backend located remotely from the securedlocation. In some embodiments, the encoded image may be transmitted tothe second user by a mobile messaging service, email, and/or anapplication associated with a security system controlling access to thesecured location.

In still further embodiments, a system is provided comprising a securitybackend and a local security system. The security backend may receive abase image from a first user and steganographically encode a firstportion of the base image with access information to create an encodedimage. The security backend may store the access information in asecurity database and transmit the encoded image to the first user or asecond user. The local security system may comprise a monitoring deviceand capture a display of the encoded image in a captured image by themonitoring device at a secured location. The local security system mayrecognize the access information in the captured image and grant accessto the secured location based on the access information.

In some embodiments, the local security system may be configured torecognize the access information by transmitting at least a portion ofthe captured image to the security backend and receiving an indicationfrom the security backend that the captured image includes the accessinformation.

In some embodiments, the system may further comprise a first deviceassociated with the first user and configured to capture the base imagein response to a request by the first user to generate the encodedimage. The first device may provide the base image to the securitybackend.

In still further embodiments, a system is provided comprising a firstdevice associated with a first user and a second device associated witha second user. The first device may capture a base image in response toa request by the first user to generate an encoded image andsteganographically encode a first portion of the base image with accessinformation to create the encoded image. The first device may furthertransmit an indication of the access information to a security systemassociated with a secured location and transmit the encoded image to asecond user. The second device may receive the encoded image from thefirst user and display the encoded image for capture by a monitoringdevice at the secured location. The security system may grant access tothe secured location in response to the monitoring device capturing thepresented encoded image.

In some embodiments, the first device may receive a selection of one ormore access restrictions from the first user and encode the one or moreaccess restrictions into one or more second portions of the base image,wherein the access restrictions are steganographically encoded in theencoded image and the security system grants access to the securedlocation based on the access restrictions.

In still further embodiments, a method is provided where a base mediafile is received from a first user, wherein a first device of the firstuser is configured to capture the base media file using an input deviceresponsive to a request by the first user to create an encoded mediafile. A first portion of the base media file may be steganographicallyencoded with access information to create an encoded media file. Theencoded media file may be transmitted to a second user. A securitysystem associated with a secured location may be notified of one or moreaccess restrictions. A monitoring device at the secured location may beactivated based on the access restrictions. A presentation of theencoded media file may be captured by the monitoring device. Themonitoring device may recognize the access information in the capturedmedia file and grant access to the secured location based on the accessinformation.

Embodiments may further comprise receiving a selection from the firstuser of one or more access restrictions associated with the second user.The access restrictions may be steganographically encoded in one or moresecond portions of the encoded media file. The monitoring device mayrecognize the access restrictions in the captured media file andgranting access to the secured location may be based on the accessrestrictions.

In still further embodiments, a method is provided where a first portionof a received base image is steganographically encoded with accessinformation and one or more second portions of the received base imageare encoded with one or more access restrictions, thereby creating anencoded image. A monitoring device at a secured location may capture adisplay of the encoded image in a captured image, and access to thesecured location may be granted when the access restrictions are metbased on recognizing the access information and the access restrictionsin the captured image. The base image may be captured by a camera inresponse to a request to create the encoded image. An identifier of adevice associated with the display of the encoded image may be receivedand granting access to the secured location may be based on theidentifier.

The summary here is not an exhaustive listing of the novel featuresdescribed herein, and are not limiting of the claims. These and otherfeatures are described in greater detail below.

BRIEF DESCRIPTION OF THE DRAWINGS

These and other features, aspects, and advantages of the presentdisclosure will become better understood with regard to the followingdescription, claims, and drawings. The present disclosure is illustratedby way of example, and not limited by, the accompanying drawings inwhich like numerals indicate similar elements.

FIG. 1 illustrates an example communication network on which variousfeatures described herein may be implemented.

FIG. 2 illustrates an example computing device that can be used toimplement any of the features described herein.

FIG. 3 illustrates an example operating environment in which one or moreof the various features described herein may be implemented.

FIG. 4 illustrates an example system for implementing various featuresdescribed herein.

FIG. 5 illustrates an example processing flow for implementing variousfeatures described herein.

FIG. 6 illustrates an example method for implementing various featuresdescribed herein.

FIG. 7 illustrates another example method for implementing variousfeatures described herein.

DETAILED DESCRIPTION

In the following description of various illustrative embodiments,reference is made to the accompanying drawings, which form a parthereof, and in which is shown, by way of illustration, variousembodiments in which aspects of the disclosure may be practiced. It isto be understood that other embodiments may be utilized, and structuraland functional modifications may be made, without departing from thescope of the present disclosure.

Various features described herein may allow an authorized user toprovide a guest with access to a secured location through use of anencoded image containing steganographically encoded access information.The encoded access information may be recognizable by a security system,and the security system may grant access to the secured location whenthe encoded image is presented to the security system. The authorizeduser may request the generation of the encoded image on an authorizedcomputing device, and the encoded image may be provided to the guest ona guest computing device. When a monitoring device associated with thesecurity system captures the encoded access information, the securitysystem may, for example, open and/or unlock a door at the securedlocation.

An illustrative example of a specific application of the techniquesdisclosed herein may be a homeowner who wants to provide a housekeeperwith access to the homeowner's house while the homeowner is away onvacation. This example is not intended to limit the disclosed techniquesdescribed herein. Rather, this example helps illustrate various aspectsas will be described below. The homeowner may request the generation ofan encoded image which will allow the housekeeper to access the house.In some embodiments, the homeowner may use, for example, a smartphoneapplication associated with a security system protecting the house. Thehomeowner may request the generation of an encoded image for thehousekeeper. The application may prompt the homeowner to use thesmartphone's camera to take a picture that will be used to generate theencoded image. For example, the homeowner may take a picture of a nearbytree at his vacation destination. The application may further allow thehomeowner to select access restrictions for the housekeeper. Forexample, the homeowner may select that the encoded image should onlyprovide access between 10 AM and 2 PM on weekdays.

The base image and any access restrictions may be provided to a securitybackend associated with the home security system. The security backendmay steganographically encode access information and/or the accessrestrictions in the base image, thereby generating an encoded image.Steganographic techniques may encode information in an image withoutchanging the image in a readily noticeable fashion. For example, aseries of pixels in the image may have their colors changed by a smallamount, such as by changing the least significant bits of the imagedata. Such a change may be difficult or impossible for a human tonotice, but may be readily discerned by a computing device programmed todo so. In some embodiments, the homeowner's smartphone may itself encodethe access information instead of sending the base image to the securitybackend.

The security backend and/or the homeowner's smartphone may send theencoded image to the housekeeper's device. The housekeeper may have amobile phone with a limited feature set, but capable of displayingimages. The encoded image may be sent to the housekeeper using a mobilemessaging protocol, such as via an SMS text message. The housekeeper canthen go to the house and use the mobile phone to present the encodedimage to a monitoring device, such as a security camera, associated withthe security system protecting the house. The monitoring device maycapture the display of the encoded image, and the home security systemmay recognize the access information encoded in the encoded image. Insome embodiments, the home security system may send captured images tothe security backend for further processing and recognition of theaccess information. If the access information is recognized in theencoded image, and any access restrictions are satisfied, thehousekeeper may be granted access to the house. For example, uponrecognizing the encoded image, the security system may electronicallyunlock a door located nearby the monitoring device that captured theencoded image. After the housekeeper has cleaned the house, thehomeowner can use the application to revoke the access associated withthe encoded image.

Various features of methods and systems for providing access to asecured location using steganographically encoded images will bedescribed in greater detail below. However, first an exemplary operatingenvironment as shown in FIGS. 1, 2, and 3 will be described.

FIG. 1 illustrates an example communication network 100 on which many ofthe various features described herein may be implemented. The network100 may be any type of information distribution network, such assatellite, telephone, cellular, wireless, etc. One example may be anoptical fiber network, a coaxial cable network, or a hybrid fiber/coaxdistribution network. Such networks 100 use a series of interconnectedcommunication links 101 (e.g., coaxial cables, optical fibers, wireless,etc.) to connect multiple premises 102 (e.g., businesses, homes,consumer dwellings, etc.) to a local office or headend 103. The localoffice 103 may transmit downstream information signals onto the links101, and each premises 102 may have a receiver used to receive andprocess those signals.

There may be one link 101 originating from the local office 103, and itmay be split a number of times to distribute the signal to variouspremises 102 in the vicinity (which may be many miles) of the localoffice 103. The links 101 may include components not illustrated, suchas splitters, filters, amplifiers, etc. to help convey the signalclearly, but in general each split introduces a bit of signaldegradation. Portions of the links 101 may also be implemented withfiber-optic cable, while other portions may be implemented with coaxialcable, other lines, or wireless communication paths. By running fiberoptic cable along some portions, for example, signal degradation may besignificantly minimized, allowing a single local office 103 to reacheven farther with its network of links 101 than before.

The local office 103 may include an interface 104, such as a terminationsystem (TS). More specifically, the interface 104 may be a cable modemtermination system (CMTS), which may be one or more computing devicesconfigured to manage communications between devices on the network oflinks 101 and backend devices such as servers 105-107 (to be discussedfurther below). The interface 104 may be as specified in a standard,such as the Data Over Cable Service Interface Specification (DOCSIS)standard, published by Cable Television Laboratories, Inc. (a.k.a.CableLabs), or it may be a similar or modified device instead. Theinterface 104 may be configured to place data on one or more downstreamfrequencies to be received by modems at the various premises 102, and toreceive upstream communications from those modems on one or moreupstream frequencies.

The local office 103 may also include one or more network interfaces108, which can permit the local office 103 to communicate with variousother external networks 109. These networks 109 may include, forexample, networks of Internet devices, telephone networks, cellulartelephone networks, fiber optic networks, local wireless networks (e.g.,WiMAX), satellite networks, and any other desired network, and thenetwork interface 108 may include the corresponding circuitry needed tocommunicate on the external networks 109, and to other devices on thenetwork such as a cellular telephone network and its corresponding cellphones.

As noted above, the local office 103 may include a variety of servers105-107 that may be configured to perform various functions. Forexample, the local office 103 may include a push notification server105. The push notification server 105 may generate push notifications todeliver data and/or commands to the various premises 102 in the network(or more specifically, to the devices in the premises 102 that areconfigured to detect such notifications). The local office 103 may alsoinclude a content server 106. The content server 106 may be one or morecomputing devices that are configured to provide content to users attheir premises. This content may be, for example, video on demandmovies, television programs, songs, text listings, etc. The contentserver 106 may include software to validate user identities andentitlements, to locate and retrieve requested content, to encrypt thecontent, and to initiate delivery (e.g., streaming) of the content tothe requesting user(s) and/or device(s).

The local office 103 may also include one or more application servers107. An application server 107 may be one or more computing devicesconfigured to offer any desired service, and may run various languagesand operating systems (e.g., servlets and JSP pages running onTomcat/MySQL, OSX, BSD, Ubuntu, Redhat, HTML5, JavaScript, AJAX andCOMET). For example, an application server may be responsible forcollecting television program listings information and generating a datadownload for electronic program guide listings. Another applicationserver may be responsible for monitoring user viewing habits andcollecting that information for use in selecting advertisements. Still,another application server may be responsible for receiving andtransmitting communications related to a security system in accordancewith the present disclosure. Each of the described functions may beprovided by one or more application servers, and a single applicationserver may provide more than one of the described functions. Forexample, a single physical server may implement one or more applicationservers responsible for each of the described functions. Although shownseparately, one of ordinary skill in the art will appreciate that thepush server 105, content server 106, and application server 107 may becombined. Further, here the push server 105, content server 106, andapplication server 107 are shown generally, and it will be understoodthat they may each contain memory storing computer executableinstructions to cause a processor to perform steps described hereinand/or memory for storing data, which may include security system accessinformation, restrictions, and access logs as a result of performingsteps described herein.

An example premises 102 a, such as a home, may include an interface 120.The interface 120 can include any communication circuitry needed toallow a device to communicate on one or more links 101 with otherdevices in the network. For example, the interface 120 may include amodem 110, which may include transmitters and receivers used tocommunicate on the links 101 and with the local office 103. The modem110 may be, for example, a coaxial cable modem (for coaxial cable lines101), a fiber interface node (for fiber optic lines 101), twisted-pairtelephone modem, cellular telephone transceiver, satellite transceiver,local wi-fi router or access point, or any other desired modem device.Also, although only one modem is shown in FIG. 1, a plurality of modemsoperating in parallel may be implemented within the interface 120.Further, the interface 120 may include a interface device 111, such as agateway. The modem 110 may be connected to, or be a part of, theinterface device 111. The interface device 111 may be one or morecomputing devices that communicate with the modem(s) 110 to allow one ormore other devices in the premises 102 a, to communicate with the localoffice 103 and other devices beyond the local office 103. The interfacedevice 111 may be a set-top box (STB), digital video recorder (DVR),computer server, or any other desired computing device. The interfacedevice 111 may also include (not shown) local network interfaces toprovide communication signals to requesting entities/devices in thepremises 102 a, such as display devices 112 (e.g., televisions),additional STBs or DVRs 113, personal computers 114, laptop computers115, wireless devices 116 (e.g., wireless routers, wireless laptops,notebooks, tablets and netbooks, cordless phones (e.g., Digital EnhancedCordless Telephone—DECT phones), mobile phones, mobile televisions,personal digital assistants (PDA), etc.), landline phones 117 (e.g.Voice over Internet Protocol—VoIP phones), home security system 119, andany other desired devices. Examples of the local network interfacesinclude Multimedia Over Coax Alliance (MoCA) interfaces, Ethernetinterfaces, universal serial bus (USB) interfaces, wireless interfaces(e.g., IEEE 802.11, IEEE 802.15), analog twisted pair interfaces,Bluetooth interfaces, and others.

Having described an example communication network shown in FIG. 1 inwhich various features described herein may be implemented, an examplecomputing device as shown in FIG. 2 will be described.

FIG. 2 illustrates general hardware elements that can be used toimplement any of the various computing devices discussed herein. Thecomputing device 200 may include one or more processors 201, which mayexecute instructions of a computer program to perform any of thefeatures described herein. The instructions may be stored in any type ofcomputer-readable medium or memory, to configure the operation of theprocessor 201. For example, instructions may be stored in a read-onlymemory (ROM) 202, random access memory (RAM) 203, removable media 204,such as a Universal Serial Bus (USB) drive, compact disk (CD) or digitalversatile disk (DVD), floppy disk drive, or any other desired storagemedium. Instructions may also be stored in an attached (or internal)hard drive 205. The computing device 200 may include one or more outputdevices, such as a display 206 (e.g., an external television or monitor,or an integrated display), and may include one or more output devicecontrollers 207, such as a video processor. There may also be one ormore user input devices 208, such as a remote control, keyboard, mouse,touch screen, microphone, camera for capturing images and/or video, andthe like. One or more input devices 208 may be integrated within thecomputing device 200. The computing device 200 may also include one ormore network interfaces, such as a network input/output (I/O) circuit209 (e.g., a network card) to communicate with an external network 210.The network input/output circuit 209 may be a wired interface, wirelessinterface, or a combination of the two. In some embodiments, the networkinput/output circuit 209 may include a modem (e.g., a cable modem), andthe external network 210 may include the communication links 101discussed above, the external network 109, an in-home network, aprovider's wireless, coaxial, fiber, or hybrid fiber/coaxialdistribution system (e.g., a DOCSIS network), or any other desirednetwork. Additionally, the device may include security systemapplication data 201 a which may enable the device to perform the stepsdescribed herein.

The FIG. 2 example is a hardware configuration, although the illustratedcomponents may be wholly or partially implemented as software as well.Modifications may be made to add, remove, combine, divide, etc.components of the computing device 200 as desired. Additionally, thecomponents illustrated may be implemented using basic computing devicesand components, and the same components (e.g., processor 201, ROMstorage 202, display 206, etc.) may be used to implement any of theother computing devices and components described herein. For example,the various components herein may be implemented using computing deviceshaving components such as a processor executing computer-executableinstructions stored on a computer-readable medium, as illustrated inFIG. 2. Some or all of the entities described herein may be softwarebased, and may co-exist in a common physical platform (e.g., arequesting entity can be a separate software process and program from adependent entity, both of which may be executed as software on a commoncomputing device).

One or more aspects of the disclosure may be embodied in acomputer-usable data and/or computer-executable instructions, such as inone or more program modules, executed by one or more computers or otherdevices. Generally, program modules include routines, programs, objects,components, data structures, etc. that perform particular tasks orimplement particular abstract data types when executed by a processor ina computer or other data processing device. The computer executableinstructions may be stored on one or more computer readable media suchas a hard disk, optical disk, removable storage media, solid statememory, RAM, etc. As will be appreciated by one of skill in the art, thefunctionality of the program modules may be combined or distributed asdesired in various embodiments. In addition, the functionality may beembodied in whole or in part in firmware or hardware equivalents such asintegrated circuits, field programmable gate arrays (FPGA), and thelike. Particular data structures may be used to more effectivelyimplement one or more aspects of the disclosure, and such datastructures are contemplated within the scope of computer executableinstructions and computer-usable data described herein.

Having discussed an example network environment and computing device,discussion will now turn to FIG. 3, which illustrates an exampleoperating environment in which various features described herein may beperformed and implemented.

As illustrated in FIG. 3, the environment may include a premises 300(which may correspond to the premises 102 of FIG. 1), such as a userresidence, business, recreational facility, etc. (referred to herein asa user residence, home, or premises in a non-limiting manner), and alocal office 302 (which may correspond to the local office 103 of FIG.1). The premises 300 may include one or more doors 304 and one or morewindows 305. The doors 304 may be secured by an associated door securitycontrol 306, such as an electronically controlled locking mechanism, aproximity sensor, contact switch, motion detector, a combinationthereof, and the like. In addition, each of the plurality of windows 305may be secured by associated window security controls 307, which may besimilar to the door security control 306. The security controls 306 and307 may be communicatively coupled to a security system 319 (which maycorrespond to the home security system 119 of FIG. 1), which may allowthe security controls 306 and 307 to be engaged, disengaged, armed,disarmed, and monitored. In one arrangement, an alarm panel 308 may beimplemented in and/or as part of security system 319. Through the doorsecurity controls 306, security system 319 may electronically controlaccess to the premises 300.

Many other security sensors and devices may be communicatively coupledto the alarm panel 308 and/or security system 319. For example, securitysystem 319 may be communicatively coupled to one or more cameras 310,which may capture images and record video to monitor the premises 300and surrounding area. One or more cameras 310 may be located so as tomonitor an access location of the premises 300, such as a door 304.According to various techniques disclosed herein, images captured by acamera 310 associated with a door 304 may be used by the security system319 to grant access to an access location such as a door 304.

From the example diagram of FIG. 3, various features may be realized.For example, the security controls 306 and 307, cameras 310, alarm panel308, and security system 319 may be communicatively coupled to a userinterface device, such as the television 303 (or another type ofdisplay). Additionally and/or alternatively, the security controls 306and 307, cameras 310, alarm panel 308, and security system 319 may be incommunication with one or more authorized devices 315 (e.g., asmartphone, tablet, and the like). Through the user interface device(e.g., the television 303 or authorized device 315) an authorized usermay configure any of the devices within the security system. Anotherexample feature may include transmitting (e.g., streaming) data (e.g.,pictures, video, audio, etc.) from one or more cameras 310 to any of theother devices in the diagram of FIG. 3.

FIG. 3 also shows that the security system 319 may communicate with anexternal network, such as the local office 302. This communication maybe through a gateway such as the interface device 111 of FIG. 1. When analarm or access event is detected, the local office 302 may record theevent (e.g., store information identifying the sensor(s) that weretripped, their location, recording video and/or audio showing the eventthat occurred, etc.), determine an appropriate reaction, and/or transmitan event signal to an external network, such as the public switchedtelephone network (PSTN) 312 or a wide area network (WAN) 313. In someembodiments, a remote security server 318 may be accessed over the WAN313 and may process and handle events and data generated by securitysystem 319. Although FIG. 3 illustrates a WAN 313, any suitable networkfor communication between the local office 302, security system 319,and/or remote security server 318 may be used, such as a local areanetwork (LAN). In some embodiments, one or more features of the remotesecurity server 318 may be implemented by the local office 302. In stillother embodiments, the security system 319 may record the event,determine the appropriate reaction, and/or transmit the event signal bycommunicating directly with the networks 312, 313, and/or 316. Thus, thesecurity system 319 may transfer event signals, notifications, andaccess requests upstream for processing and handling.

Via the PSTN 312, the local office 302 may transfer an event signal to acell tower 314 and ultimately to a designated authorized device 315(e.g., smartphone, tablet, etc.). Similarly, the authorized device 315may transfer commands and configuration data back to the security system319. Additionally and/or alternatively, the local office 302 maytransfer an event signal via the WAN 313 (e.g., the Internet) to amonitoring entity 317 and/or a remote security server 318. Themonitoring entity 317 may be the same entity as the local office 302 ora third party entity. The monitoring entity 317 and/or the remotesecurity server 318 may be responsible for monitoring the premises 300.This may include responding to alert signals and access requestsreceived when the security system 319 detects an event. For example, aswill be discussed further below, in one embodiment the security system319 may capture a display of an encoded image and transfer that imageupstream to the local office 302, the monitoring entity 317, and/or theremote security server 318 for processing and recognition. Afterupstream processing, the security system may grant access if appropriateaccess information is recognized in the encoded image.

The remote security server 318 may be a computing device capable ofproviding a web portal through which users may view, on any connecteddisplay device, information regarding the security of the premises 300.Users may log-on to the web portal provided by the remote securityserver 318 and view an alarm or access event and/or information relatedto the event, such as when an access event was triggered and anyidentifying information associated with the access event. For example,the web portal may indicate that a guest requested access at 10:00 AMand may provide a picture of that guest at a door 304. Also through theweb portal, a user may be able to view video of the premises 300captured by the camera 310 or may be able to check the status of thesecurity system. Where the remote security server 318 is coupled to aWAN 313, such as the Internet, the web portal for the premises 300 maybe accessed using any device that can connect to the WAN 313, such as asmartphone, tablet, laptop, etc. The web portal may also be used tocustomize settings, such as schedules, to indicate when and how thesecurity system should operate. For instance, using the web portal auser may be able to specify access restrictions whereby the securitysystem 319 may allow guests to access the premises 300 during aspecified time of day, provided the guest possesses appropriate accesscredentials (such as the encoded images discussed further herein). Theweb portal may also allow a user to view authorized guests and theirassociated encoded images. The user may be able to revoke the accessrights afforded to any of the authorized guests through the web portal.If an access right is revoked, the guest may be denied entry to thepremises when they present the encoded image.

As shown in FIG. 3, the authorized device 315 may be in communicationwith the security system 319 and the local office 302 by way of a PSTN312. Although illustrated as communicating through a PSTN 312, theauthorized device 315 may communicate with the security system 319 andthe local office 302 by way of a WAN 313, a LAN, and/or any othersuitable communications method. The authorized device 315 can be anysuitable computing device, such as a computing device 200 as in FIG. 2,including but not limited to a smartphone, tablet computer, laptopcomputer, desktop computer, and/or a specialized computing device, andthe like. The authorized device 315 may include a camera suitable forcapturing images and/or video. The authorized device 315 may beconfigured to allow a user to control access to the premises 300 inaccordance with various techniques described herein. As will bediscussed further below, the authorized device 315 may allow the user togenerate an encoded image that can be sent to a guest device 321 suchthat the guest device 321 may be used to access the premises 300. Theauthorized device 315 may also allow a user to revoke any previouslygranted access rights for a given guest, thereby rendering accessinformation previously encoded in an image invalid. The guest device321, similar to the authorized device 315, may be any suitable computingdevice, including but not limited to a smartphone, tablet computer,laptop computer, desktop computer, and/or a specialized computingdevice, and the like. As will be discussed further below, the guestdevice 321 may generate a presentation of an encoded image received fromthe authorized device 315 and display the encoded image to a camera 310associated with the security system 319 in order to access the premises300.

Having discussed an example network environment, an example computingdevice, and an example operating environment, discussion will now turnto an illustrative system which may be used to implement some of thevarious techniques disclosed herein, as shown in FIG. 4.

FIG. 4 illustrates a system 400 including an authorizing device 410, asecurity backend 420, a home security system 430, and a guest device440. Each of the devices shown in FIG. 4 may communicate using a network405. The network 405 may be any suitable network for communicationbetween devices, such as a WAN 313 as shown in FIG. 3 and/or any othertype of network described herein. Although FIG. 4 illustrates onenetwork 405, more than one network may be used to facilitatecommunication between the devices of FIG. 4, and more than one type ofnetwork may be used. For example, the authorized device 410 maycommunicate with the security backend 420 using a PSTN or cellular phonenetwork, and the security backend 420 may communicate with the homesecurity system 430 through a connection such as links 101 (FIG. 1)between a local office such as the local office 302 (FIG. 3) and agateway such as interface device 111 (FIG. 1).

FIG. 4 illustrates an authorized device 410, which may, for example,correspond to the authorized device 315 illustrated in FIG. 3. Theauthorized device 410 may be any suitable computing device, such as acomputing device 200 as in FIG. 2, including but not limited to a mobilephone, smartphone, tablet computer, laptop computer, desktop computer,and/or a specialized computing device, and the like. The authorizeddevice 410 may include or be associated with a camera 415 suitable forcapturing images and/or video. In one embodiment, the camera 415 may beintegrated in and/or a part of the authorized device 410. As oneexample, the authorized device 410 may be a smartphone belonging to anowner of a house, which may correspond to the premises 300 (FIG. 3).However, as noted above, the techniques described herein are not limitedto securing a house and may be used for any premises for which accesscontrol is desirable, such as a commercial office, an event venue, avehicle, and the like.

The authorized device 410 may include a security application that allowsa user, such as the owner of the house, to generate an encoded image forproviding access to a secured location, such as the house. The processby which the encoded image may be generated is discussed further belowin regard to FIGS. 5-7. In generating the encoded image, the authorizeddevice 410 may use the camera 415 to capture a base image, such as ascene 402. The scene 402 may include any location, object, person,activity, event, and/or other visual setting. The scene 402 may be anyimage captured by the camera 415. The authorized device 410 may promptthe user to use the camera 415 to capture a base image in response to arequest by the user to generate an encoded image. In some embodiments,the user may be prompted to capture a scene 402 that may be readilyassociated with the premises 300, for example where the scene 402includes in it an image of the premises 300 or of the owner. In otherembodiments, the authorized device 410 may allow a user to select from agroup of images stored on the authorized device 410 or elsewhere. Insuch a case, the security application may use various criteria todetermine whether a picture may be selected as the base image, such asthe time the picture was taken, an amount of entropy and/or randomnessin the picture, content of the picture, location the picture was taken,device that captured the picture, previous usage of the picture, and/orother criteria determining the suitableness of the picture for use withsteganographic encoding techniques. Similarly, these criteria may beused to verify that a base image captured by the user is suitable foruse as an encoded image. If a base image does not meet these criteria,the authorized device 410 may inform the user and request aselection/capture of another suitable image. In some embodiments, theauthorized device 410 may encode access information and accessrestrictions into the base image. In other embodiments, the authorizeddevice 410 may transmit the base image to the security backend 420 orhome security system 430 for encoding.

FIG. 4 also illustrates a security backend 420, which may, for example,correspond to the local office 302, remote security server 318, and/ormonitoring entity 317 of FIG. 3. The security backend 420 may beoperable to remotely manage the home security system 430, which maycorrespond to the security system 319 (FIG. 3). In other embodiments,the security backend 420 may be located on the premises 300, and thesecurity backend 420 may be integrated with or communicatively coupledwith the home security system 430. The security backend 420 may be abackend system for providing security services to the premises. Thesecurity backend 420 may be remote from the premises, such as where thesecurity backend 420 is located at a local office 302. The securitybackend 420 may be a server computing device or other suitable computingdevice for providing security services. In some embodiments, thesecurity backend 420 may provide security services to multiple premisesand home security systems. The security backend 420 may manage the homesecurity system 430 by receiving information and events from the homesecurity system 430, determining an appropriate course of action, andtransmitting instructions to the home security system 430. The securitybackend 420 may also provide configuration information and parameters tothe home security system 430. For example, the security backend 420 mayprovide the home security system 430 with parameters indicating timesduring which the home security system 430 should monitor the premises300 for a presentation of an encoded image in accordance with varioustechniques disclosed herein.

The security backend 420 may receive a base image from an authorizeddevice 410 as part of a request to generate the encoded image. It mayalso receive one or more access restrictions associated with therequest. The security backend 420 may encode access information and theone or more access restrictions into the base image to generate theencoded image. The access information may be information recognizable bythe security backend 420 and/or home security system 430 as identifyinga guest who may be permitted to enter the premises. A guest presentingthe access information may be allowed entrance into the premises, muchlike a bearer of a physical key can enter a door protected by a keyedlock. For example, the access information may be a computer-recognizablekey value associated with the premises 300 (FIG. 3). As another example,the access information may be a shape or pattern that may be embedded inthe base image. The access information may be predetermined and/or maybe dynamically determined by the security backend 420, authorized device410, and/or home security system 430. The access information may bedetermined based on attributes associated with the premises, the homesecurity system, the authorizing device, a user of the authorizingdevice, the guest device, a user of the guest device, a time of day, adate, the security backend, the home security system, and/or anysuitable basis for generating and recognizing access information. Theaccess restrictions associated with the access information may includeany restrictions on when and/or how the access information may be usedto access the secured location. Access restrictions may include a validtime of day, valid days of the week, valid dates, limited number ofuses, expiration date, user identity, verification procedures,notification procedures, device restrictions, and/or any suitablerestriction on when and/or how the secured location may be accessed.

Once determined and used to generate an encoded image, the accessinformation may provide a guest with access to the premises whenpresented to the home security system 430. In some embodiments, a userof the authorizing device 410 may later decide to revoke the accessrights associated with the access information. In other embodiments, theaccess rights associated with the access information may be revoked forother reasons, such as an expiration date, unauthorized access attempts,and/or any other suitable reason for not granting access to a bearer ofthe encoded access information. After the access rights have beenrevoked, the home security system 430 may no longer grant the guestaccess based on that access information.

The security backend 420 may provide a steganographic module that mayuse steganographic techniques to encode the access information and/oraccess restrictions into one or more portions of the base image, therebygenerating an encoded image. For example, in some embodiments the baseimage may be broken into four quadrants. In one illustrative embodiment,the access information may be encoded in a first quadrant, an accessrestriction relating the permissible access times may be encoded in asecond quadrant, an access restriction relating to the number of timesthe encoded image can be used may be encoded in a third quadrant, and anidentifier associated with an intended guest may be encoded in a fourthquadrant. Additionally and/or alternatively, information may beredundantly encoded throughout portions of the base image. For example,each quadrant of the image may be encoded with the access informationand access restrictions. Such redundant encoding may facilitate betterrecognition of the encoded image by the home security system 430 or thesecurity backend 420.

A wide range of steganographic methods may be used by the securitybackend 420, or an authorized device 410, to encode information in thebase image. The access information and one or more access restrictionsmay be encoded in the base image by changing one or more attributes ordata values of the base image. For example, in one embodiment a leastsignificant bit of a range of pixel data may be changed to encode theaccess information. In other embodiments, higher order bits may be used.In still other embodiments, a pattern or other sequence of bits and/orpixels may be used to encode the access information in the base image.For example, a particular set of pixels in the image may be used toencode the information and the particular locations used may be known toboth the encoding party and the decoding party. Other steganographicmethods used to encode the access information and access restrictions inthe base image may include adjusting colors, brightness, contrast,embossing, patterns, shapes, and/or any other attributes or data of thebase image. Additionally and/or alternatively, a key or algorithmic hintmay be encoded in the encoded image such that a decoding device may usethe key or algorithmic hint to recognize the encoded access informationand/or access restrictions. In some embodiments, the steganographicallyencoded information may be decoded and/or extracted by comparing theencoded image to the base image. In other embodiments, thesteganographically encoded information may be decoded and/or extractedbased on a pre-determined and/or pre-shared algorithm. A human viewermay not be able to recognize a difference between the base image and theencoded image, but such a difference may be easily recognized by acomputer programmed to look for such differences.

The security backend 420 may include or be associated with a securitydatabase 425. The security database 425 may store information related tothe operation of the home security system 430 and the premises 300. Forexample, the security database 425 may store alarm and access eventsgenerated by the home security system 430. The security database 425 mayfurther store information related to a request to generate an encodedimage, such as the access information, associated access restrictions,the base image, and/or the encoded image. When an access event isreceived, the security backend 420 may compare encoded informationextracted from the access event to data stored in the security database425 to determine if access should be granted. For example, the securitybackend 420 may receive an image taken by a video camera at a doorlocated on the premises 300 and recognize within the image a display ofan encoded image containing candidate access information. The securitybackend 420 may compare this candidate access information to the accessinformation and associated restrictions stored in the security database425 to determine whether the door should be unlocked. The securitybackend 420 may remove access information from the security database 425in response to a user request to revoke the access right, or based on aset expiration period and/or criteria.

In accordance with some aspects disclosed herein, the security backend420 may notify the home security system 430 of access restrictionsassociated with an encoded image containing access information. Forexample, the security backend 420 may notify the home security system430 that the access information is only valid from LOAM to 2 PM, and thehome security system 430 may adjust its operation accordingly, such asby monitoring a video feed for the encoded image during the specifiedtime frame and not during other times.

FIG. 4 also illustrates a home security system 430, which may, forexample, correspond to the security system 319 as shown in FIG. 3. Thehome security system 430 may be located at the secured premises and maymonitor the premises, report events, and control access to the premises.Although FIG. 4 illustrates a home security system 430, the nature ofthe home security system 430 as a “home” security system is merelyillustrative. As noted above, the techniques described herein may beapplicable to securing any sort of premises or venue for which accesscontrol is desirable, such as a commercial office, an event venue, avehicle, and the like. As discussed above, the home security system 430may include a variety of sensors and controls, including one or moreelectronic access controls 433. The electronic access controls 433 maybe operable to control access to the premises by locking a door orotherwise barring entry to the premises. The home security system 430may grant a guest access to the premises by, for example, using theelectronic access controls 433 to unlock a door at which the guestpresents acceptable access credentials, such as by presenting an encodedimage containing access information as described herein.

The home security system 430 may also include a monitoring device 435,such as a security camera and/or other sensors for monitoring thepremises. The monitoring device 435 may be used to capture apresentation by a guest device 440 of the encoded image. Where themonitoring device 435 is a security camera, the security camera maycapture a scene including the guest device displaying the encodedimages. In other embodiments, the monitoring device 435 may be a morespecialized camera or reader designed to capture a display of theencoded image rather than monitor the premises. In some embodiments, themonitoring device 435 may recognize when a candidate encoded image ispresented for capture and capture an image, or the monitoring device 435may periodically or constantly capture an image and determine whether acandidate encoded image is present. In some embodiments, the homesecurity system 430 may forward captured images to the security backend420 without determining whether a candidate encoded image is present.The home security system 430 may be notified of access restrictionsassociated with the encoded image and may be configured to activate themonitoring device 435 based on the access restrictions and processimages captured by the monitoring device 435. The home security system430 may also utilize one or more sensors to determine whether toactivate the monitoring device 435. For example, a motion sensor couldbe used to activate the monitoring device 435 when activity is detected.As one example, the home security system 430 may capture images andassume candidate encoded images may be present when a motion sensorcaptures activity and/or when one or more access restrictions of whichit has been notified have been met, such as during a specified timeperiod.

In some embodiments, the home security system 430 may transmit capturedimages upstream to the security backend 420 for further processing,including recognition of the encoded image. In some embodiments, thehome security system 430 may capture a series of images which may beused together to better identify the encoded image. For example, if aguest were holding a guest device 440 up to the monitoring device 435,more than one image may be captured by the monitoring device 435 andused during processing to account for and minimize information lost ordistorted in the encoded image as presented to the monitoring device435. If there were glare or the guest was unable to hold the devicestill, the series of images may be used to better identify the encodedimage in the captured image. The home security system 430 may engage insome preprocessing to determine whether a captured image may contain acandidate encoded image and should be sent upstream. In otherembodiments, the home security system 430 may recognize encoded accessinformation without sending the capture upstream. For example, thesecurity backend 420 or the authorizing device 410 may have provided thehome security system 430 with an indication of the encoded image oraccess information, and the home security system 430 may itself watchfor and recognize a display of the encoded image.

Upon recognizing the access information encoded in the encoded image,the home security system 430 may grant the user access to the premisesby, for example, unlocking a door. The home security system 430 maydetermine that a captured image includes encoded information, mayextract that information, and may determine whether that informationmatches expected access information or credentials. In otherembodiments, one or more of these steps may be handled by the securitybackend 420. For example, the home security system 430 may determinethat a captured image contains candidate encoded information, extractthat information, and send the extracted information upstream to thesecurity backend 420 to determine whether the extracted informationmatches expected access information or credentials. In otherembodiments, the home security system 430 may provide a periodic streamof images to the security backend 420, and the security backend 420 maymonitor the stream for encoded information. The security backend 420 maynotify the home security system 430 whether the encoded information isvalid and matches the expected access information, and the home securitysystem 430 may grant the guest access based on the notification.

The monitoring device 435 may be further used to capture identifyinginformation related to a user of a guest device 440 as part of or beforeallowing the user to access the premises. For example, a security cameracould capture a picture of the guest user's face, or a biometric scannercould be used to capture fingerprints, iris or retinal scans, or otheridentifying biometric data of the guest user. The home security system430 may prevent access to the premises 300 until satisfactoryidentifying information is captured. For example, the user may be deniedaccess if the monitoring device cannot get a picture of the user's faceor if the user does not provide a complete fingerprint. In someembodiments, biometric or other identifying information associated withthe guest user may be preregistered with the home security system 430and the security backend 420, and access may be conditioned on a matchof the captured identifying information with the preregisteredinformation.

As shown in FIG. 4, the guest device 440 may be used by a guest topresent a display of the encoded image at the premises 300 in order togain entry to the premises. Like the authorizing device 410, the guestdevice 440 may be any suitable computing device, such as a computingdevice 200 as in FIG. 2, including but not limited to a mobile phone,smartphone, tablet computer, laptop computer, desktop computer, and/or aspecialized computing device, and the like. The guest device 440 mayreceive a transmission of the encoded image. In one embodiment, theencoded image may be sent by the authorizing device 410. In anotherembodiment, the encoded image may be sent by the security backend 420.The encoded image may be received by the guest device 440 via a numberof methods and protocols, such as SMS (Short Message Service) messages,MMS (Multimedia Messaging Service) messaging, other mobile messagingservices, email, and the like. In one embodiment, the guest device 440may execute an application associated with the security backend 420 orthe home security system 430 and may request and/or receive the encodedimage through the associated application.

After the guest device 440 has received the encoded image, a user of theguest device 440 may take the device to the premises and present adisplay of the encoded image to a monitoring device 435 of the homesecurity system 430. The guest device 440 may include or be associatedwith a display 445 for providing a visual presentation of the encodedimage. The user of the guest device 440 may request that the guestdevice 440 display the encoded image, and the user may orient the guestdevice 440 such that the monitoring device 435 is capable of recognizingaccess information encoded in the displayed image. For example, the usermay hold the guest device 440 up to a security camera so that thesecurity camera can view the display 445. As another example, where themonitoring device 435 is a specialized camera for capturing a display ofthe encoded image rather than monitoring the premises, a user may placethe guest device 440 on a platform or against a panel associated withthe monitoring device 435, or otherwise orient the device such that themonitoring device 435 may capture the encoded image presented on thedisplay 445.

Having discussed the system of FIG. 4 which may provide a guest withaccess to a secured premises, a general sequence of a methodimplementing various techniques described herein as shown in FIG. 5 willbe discussed. The process flow illustrated in FIG. 5 may be implementedin the system 400 illustrated in FIG. 4, and/or in other suitablesystems.

FIG. 5 illustrates a sequence diagram of one embodiment of the accesscontrol techniques described herein. FIG. 5 includes an authorizingdevice 510, a steganographic platform 520, a home security system 530,and a guest device 540 (which may, for example, respectively correspondto the authorizing device 410, security backend 420, home securitysystem 430, and guest device 440 of FIG. 4). Each of these elements maycommunicate with each other as indicated by the sequence diagram, suchas through a network 405 as illustrated in FIG. 4. As discussed above,in some embodiments, the steganographic platform 520 may be remote fromthe home security system 530, and in others the steganographic platform520 may be provided by or integrated within the home security system 530or the authorizing device 510.

The sequence illustrated in FIG. 5 may begin when a user of anauthorizing device 510, such as an owner of a home equipped with a homesecurity system 530, initiates the generation of an encoded image toprovide access to a secured location, such as the premises 300illustrated in FIG. 3. The user may request the generation of theencoded image so that a guest can access the secured location. In oneexample application of the methods discussed herein, a homeowner may betraveling and may wish to let a housekeeper into the homeowner's housewhile the homeowner is away. In such an example, the homeowner may usean authorizing device 510, such as a smartphone belonging to thehomeowner, to generate an encoded image and provide that encoded imageto a guest device 540 associated with the housekeeper, such as asmartphone or mobile phone associated with the housekeeper. This exampleapplication represents but one implementation of the methods andtechniques described herein, and as discussed above, these techniquesmay be equally applicable to any premises, event, or resource that auser desires to permit other guests to access. Further, there is norequirement that a user of an authorizing device 510 be an owner of thesecured location. Instead, the user of an authorizing device 510 may beany person authorized to grant or control access to the location.

In response to a request to generate the encoded image, an authorizingdevice 510 may acquire a base image at step 512. In some embodiments,the authorizing device 510 may use an associated or integrated camera tocapture the base image. The authorizing device 510 may prompt the userto use the camera to capture an image of a scene for use as the baseimage. The scene may include any location, object, person, activity,event, and/or other visual setting. In some embodiments, the scene maybe readily associated with the secured location, for example where thescene includes in it an image of the secured location or of thehomeowner. In other embodiments, the authorizing device 510 may allow auser to select a picture from a group of images stored on theauthorizing device 510 or elsewhere. In such a case, a securityapplication provided by the authorizing device 510 may use variouscriteria to determine whether a picture may be selected as the baseimage, such as the time the picture was taken, an amount of entropyand/or randomness in the picture, content of the picture, location thepicture was taken, device that captured the picture, previous usage ofthe picture, and/or other criteria determining the suitableness of thepicture for use with steganographic encoding techniques. Similarly,these criteria may be used to verify that a base image captured by theuser is suitable for use as an encoded image. If a base image does notmeet these criteria, the authorizing device 510 may inform the user andrequest a selection/capture of another suitable image.

At step 514, the authorizing device 510 may allow the user to select oneor more access restrictions to associate with the encoded image. Theaccess restrictions selected by the user or otherwise determinedappropriate for association with the access information may include anyrestrictions on when and/or how the access information may be used toaccess the secured location. Access restrictions may include a validtime of day, valid days of the week, valid dates, limited number ofuses, expiration date, user identity, verification procedures,notification procedures, device restrictions, and/or any suitablerestriction on when and/or how the secured location may be accessed. Insome embodiments, the user of the authorizing device 510 may be provideda list of restrictions and may select none, one, or more of therestrictions to be applied to the encoded image. Additionally and/oralternatively, the authorizing device 510 may determine appropriaterestrictions, which may be verified by the user. Further, thesteganographic platform 520 and/or the home security system 530 maydetermine appropriate access restrictions to associate with the encodedimage.

At step 551, and according to some embodiments, the authorizing device510 may send the base image and the one or more access restrictions (ifany) to a steganographic platform 520 for encoding.

At step 522, the steganographic platform 520 may determine accessinformation for the secured location and encode that access informationand the one or more access restrictions into the base image, therebygenerating an encoded image. The access information may be informationrecognizable by a home security system 530, which may, for example,correspond to the security backend 420 and/or the home security system430 illustrated in FIG. 4, as identifying a guest who may be permittedto enter the secured location. A guest presenting the access informationmay be allowed entrance into the location, much like a bearer of aphysical key can enter a door protected by a keyed lock. For example,the access information may be a computer-recognizable key valueassociated with the secured location. As another example, the accessinformation may be a shape or pattern that may be embedded in the baseimage. The access information may be predetermined and/or may bedynamically determined by the steganographic platform 520, theauthorizing device 510, or the home security system 530. The accessinformation may be determined based on attributes associated with thesecured location, the home security system, the authorizing device, auser of the authorizing device, the guest device, a user of the guestdevice, a time of day, a date, a security backend associated with thesteganographic platform 520, the home security system 530, and/or anysuitable basis for generating and recognizing access information. Theaccess information may be provided to steganographic platform by thehome security system 530.

The steganographic platform 520 may provide a steganographic modulewhich may use steganographic techniques to encode the access informationand/or access restrictions into one or more portions of the base image,thereby generating the encoded image as discussed above in regard to thesecurity backend 420 of FIG. 4. For example, in some embodiments thebase image may be broken into four quadrants. In one illustrativeembodiment, the access information may be encoded in the first quadrant,an access restriction relating the permissible access times may beencoded in the second quadrant, an access restriction relating to thenumber of times the encoded image can be used may be encoded in thethird quadrant, and an identifier associated with an intended guest maybe encoded in the fourth quadrant. Any appropriate number of portionsmay be used, and one portion may be encoded to contain more than oneaccess restriction and/or the access information. Additionally and/oralternatively, more than one portion may include a particular accessrestriction and/or the access information, or a single portion mayinclude the same piece of information encoded multiple times. Suchredundant encoding may facilitate better recognition of the encodedimage by the home security system 530 or the steganographic platform520.

The steganographic platform 520 may further store the accessinformation, access restrictions, base image, and/or encoded image in asecurity database. The information stored in the security database maybe used to recognize and validate a later presentation of the encodedimage by the guest device 540 at the secured location. For example, thesecurity database may store the base image and use the stored base imageas part of extracting the encoded information in the encoded image, asdescribed below in regard to step 524.

In other embodiments, steps 551 and 522 may be omitted, and theauthorizing device 510 may determine and encode the access informationitself. Alternatively and/or additionally, the authorizing device 510may receive the access information from the steganographic platform 520or the home security system 530, and the authorizing device 510 mayencode the received access information into the base image.

A wide range of steganographic methods may be used by the steganographicplatform 520, or the authorizing device 510, to encode information inthe base image. The access information and one or more accessrestrictions may be encoded in the base image by changing one or moreattributes or data values of the base image. For example, in oneembodiment a least significant bit of a range of pixel data may bechanged to encode the access information. In other embodiments, higherorder bits may be used. In still other embodiments, a pattern or othersequence of bits may be used to encode the access information in thebase image. Other steganographic methods used to encode the accessinformation and access restrictions in the base image may includeadjusting colors, brightness, contrast, patterns, shapes, and/or anyother attributes or data of the base image. Additionally and/oralternatively, a key or algorithmic hint may be encoded in the encodedimage such that a decoding device may use the key or algorithmic hint torecognize the encoded access information and/or access restrictions. Insome embodiments, the steganographically encoded information may bedecoded and/or extracted by comparing the encoded image to the baseimage. In other embodiments, the steganographically encoded informationmay be decoded and/or extracted based on a pre-determined and/orpre-shared algorithm. A human viewer may not be able to recognize adifference between the base image and the encoded image, but such adifference may be easily recognized by a computer programmed to look forsuch differences.

At step 553, in some embodiments, the steganographic platform 520 maynotify the home security system 530 of one or more of the accessrestrictions. The home security system 530 may adjust its operationbased on the access restrictions. For example, the home security system530 may activate a security camera or other monitoring device based on apermissible time range associated with the access information. In suchan example, the home security system 530 may monitor the securedlocation for a presentation of the encoded image during the permissibletime range, and may turn off the monitoring device or otherwise notwatch for the encoded image outside of the time range.

At step 554 a, in some embodiments, the steganographic platform 520 maysend the encoded image to a guest device 540. In another embodiment, theencoded image may be returned to the authorizing device 510 in optionalstep 552 and the authorizing device 510 may send the encoded image tothe guest device 540 at step 554 b. The encoded image may be sent to theguest device 540 via a number of methods and protocols, such as SMS textmessaging, MMS messaging, other mobile messaging services, email, andthe like. In one embodiment, the guest device 540 may execute anapplication associated with the steganographic platform 520 and/or thehome security system 530 and may request and/or receive the encodedimage through the associated application.

Once the encoded image is received by the guest device 540, a guest mayuse the guest device 540 to present a display of the encoded image tothe home security system 530 in step 555 in order to gain entry to thesecured location. The guest device 540 may include or be associated witha display for providing a visual presentation of the encoded image. Theuser of the guest device 540 may request that the guest device 540display the encoded image, and the user may orient the guest device 540such that a monitoring device associated with the home security system530 is capable of recognizing access information encoded in thedisplayed image. For example, the user may hold the guest device 540 upto a security camera so that the security camera can see the display. Asanother example, where the monitoring device is a specialized camera forcapturing a display of the encoded image rather than monitoring thepremises, a user may place the guest device 540 on a platform or againsta panel associated with the monitoring device, or otherwise orient thedevice such that the monitoring device may capture the encoded imagepresented on the display.

At step 532, a monitoring device associated with the home securitysystem 530 may capture a display of the encoded image. For example, asecurity camera may capture a scene including a portion of the premisessurrounding the secured location and the guest device 540 presenting theencoded image. Thus, the encoded image may be included in the capturedimage, though the captured image may contain additional objects andinformation. In the particular application of these techniques discussedabove, for example, the housekeeper may cause their mobile phone todisplay the encoded image and hold it up to a security camera. Thesecurity camera may capture an image including the housekeeper's phoneand display, as well as other extra visual information (such as thesurroundings, the housekeeper, etc.). In some embodiments, themonitoring device may recognize when a candidate encoded image ispresented for capture and capture an image, or the monitoring device mayperiodically or constantly capture an image and determine whether acandidate encoded image is present. In some embodiments, the monitoringdevice may capture a series of sequential images and use these to betterdetermine when an encoded image is presented. For example, capturing asequential series of images of the presented encoded image may allow thehome security system 530 or the steganographic platform 520 to betteridentify the encoded image by adjusting for orientation, glare, or otherimperfections in the capture of the presented encoded image. By usingthe sequential series of images, the home security system 530 or thesteganographic platform 520 may be able to reduce errors introduced bytilt, reflections, imperfections in the display of the guest device 540,and the like. The home security system 530 may engage in somepreprocessing to determine whether a captured image may contain acandidate encoded image and should be further examined to determine thepresence of encoded access information.

In some embodiments, the home security system 530 may transmit capturedimages upstream to the steganographic platform 520 for furtherprocessing, including recognition of encoded information. Thus, at step556, the home security system 530 may transmit the captured imageincluding the encoded image to the steganographic platform 520. Theentire captured image may be transmitted upstream, or a portion of theimage may be transmitted in lieu of the entire image. For example,preprocessing done at the home security system 530 may identify aportion of the captured image as containing a candidate encoded imagepresentation, and may send that portion to the steganographic platform520. In other embodiments, the home security system 530 may recognizeencoded access information without sending the capture upstream. Forexample, the steganographic platform 520 or the authorizing device 510may have provided the home security system 530 with an indication of theencoded image or access information, and the home security system 530may itself watch for and recognize a display of the encoded image.

After receiving the captured image, the steganographic platform 520 mayanalyze the captured image and recognize the encoded image presented inthe captured image in step 524. The steganographic platform 520 maydetermine which portions of the captured image correspond to a candidateencoded image, and may analyze those portions for the presence ofencoded information. In some embodiments where the monitoring device isable to substantially limit the presence of extra information, thesteganographic platform 520 may consider the entire captured image as acandidate encoded image. Such a situation may occur where the monitoringdevice is adapted to receive the display of the encoded image, such aswhere a scanning panel or other specially configured monitoring deviceis used to receive the presentation of the encoded image.

The steganographic platform 520 may extract encoded information from thecandidate encoded image based on the steganographic techniques used bythe steganographic platform 520 or the authorizing device 510 to encodethe access information and access restrictions in the encoded image.Information about the steganographic techniques used may be stored inthe security database associated with the steganographic platform 520.For example, if the access information was encoded in the leastsignificant bit or higher order bits of a specific portion of theencoded image, the steganographic platform 520 may analyze theseportions of the candidate encoded image to extract the encoded accessinformation. Similarly, if the access information were encoded inpatterns or shapes in the encoded image, the steganographic platform 520may analyze the candidate encoded image to determine whether theexpected patterns or shapes are present. The steganographic platform 520may extract the encoded information based on a pre-determined orpre-shared algorithm for encoding the information. Additionally and/oralternatively, a key or algorithmic hint may be encoded in the candidateencoded image and the steganographic platform 520 may extract this keyor hint and use it to extract additional encoded information. In otherembodiments, the steganographic platform 520 may compare the candidateencoded image to a base image or an encoded image stored in the securitydatabase to extract or identify the access information and/or accessrestrictions.

The extracted or recognized information may be compared to known and/orexpected access information as part of step 524. If the extractedinformation matches the expected access information, the steganographicplatform 520 may instruct the home security system 530 to grant theguest access at step 557. For example, step 557 may involve thesteganographic platform 520 instructing the home security system 530 tounlock and/or open a door at the secured location. The door may bedetermined based on a location of the monitoring device that capturedthe display of the encoded image. For example, if the encoded image iscaptured by a security camera at a front door, the front door may beunlocked by the home security system 530. This step may further involverecognizing one or more access restrictions encoded in the encoded imageor associated with the access information, as may be stored in thesecurity database. The steganographic platform 520 and/or the homesecurity system 530 may determine whether or not the one or more accessrestrictions are satisfied before the guest is granted access. Asdiscussed above, the one or more access restrictions may, for example,include a time restriction on when access should be granted. If a guestpresents the encoded image to the home security system 530 outside ofthe specified time, the guest may not be granted access. Similarly, theaccess restrictions may indicate additional verification proceduresshould be performed prior to granting access, such as capturingsufficient identifying information associated with the guest (e.g., apicture of the guest's face, a complete fingerprint, a retinal scan, asecond form of identification, and the like).

When the steganographic platform 520 receives a captured imagedetermined to include a candidate encoded image, or when thesteganographic platform 520 detects a display of the encoded image, thesteganographic platform 520 may generate an access attempt notification.The access attempt notification may include information regarding thetime and nature of the access attempt, and may include the capturedimage, the encoded image, the extracted information, the accessinformation, and/or any other information identifying the accessattempt. The access attempt notification may be stored in the securitydatabase. In some embodiments, the access attempt notification may beprovided to the authorizing device 510. The access attempt notificationmay indicate that a guest attempted to access the secured location butwas denied access due to the access restrictions associated with theaccess information.

Once the access information has been extracted, recognized, and/orverified by the steganographic platform 520 and/or the home securitysystem 530, the guest may be granted access to the secure location. Insome embodiments, the home security system 530 may acquire identifyinginformation about the guest prior to granting access at step 534. Forexample, the home security system 530 may deny a guest access until thehome security system 530 captures a picture of the guest's face oranother appropriate identification of the guest. In some embodiments,the identifying information may be sent to the steganographic platform520 and/or the authorizing device 510 for verification and/or approvalbefore the guest is granted access. For example, the home securitysystem 530 may capture a picture of the guest's face and send an accessrequest to the authorizing device 510 including the picture. Theauthorizing device 510 may prompt a user to verify the identity of theguest and approve their access request. If a guest does not submit toidentification or if their identity cannot be verified, in someembodiments the guest may be denied access.

In some embodiments, the home security system 530 and/or thesteganographic platform 520 may request and/or acquire identifyinginformation from the guest device 540. For example, a device identifierassociated with the guest device 540 may be transmitted to the homesecurity system 530 and/or the steganographic platform 520. This deviceidentifier may be used to verify that the device presenting the encodedimage is the same device as the device the authorizing user intended togrant access rights to. For example, a guest seeking an encoded imagefrom the authorizing user may provide the authorizing user with anidentifier of the guest device 540 and the authorizing device 510 mayencode this information in the encoded image or security database.

At step 558, the home security system 530 grants a bearer of the guestdevice 540 access to the secured location. For example, the homesecurity system 530 may unlock and/or open the door as instructed by thesteganographic platform 520 in step 557. The home security system 530may generate an access log message and send the message to thesteganographic platform 520 at step 559 a. The access log message mayinclude, for example, the encoded image, the access information, thetime of access, the identifying information associated with the guestand/or guest device, and the like. The access log message may be storedin the security database, and the steganographic platform 520 mayrepackage the access log message and send a notification to theauthorizing device 510 at step 559 b.

Through the sequence illustrated in FIG. 5, an owner or other authorizeduser may generate an encoded image and send the image to a guest suchthat the guest may access a secured location. The guest may present theencoded image to a home security system at the secured location whichmay recognize access information encoded in the encoded image and grantthe guest access to the secured location.

Having described an example sequence diagram as illustrated in FIG. 5,discussion will now turn to a method according to one or moreembodiments as illustrated in FIG. 6.

FIG. 6 illustrates an example method performed in a system such as thesystem 400 illustrated FIG. 4. An authorizing user of an authorizedcomputing device may request the generation of an encoded image whichmay be used to provide a guest user of a guest computing device withaccess to a secured location protected by a security system.

In step 602, the authorizing user may be prompted to take a pictureusing a camera and/or select an existing image. The picture may be usedas a base image to generate the encoded image. The user may also selectone or more access restrictions to associate with the encoded image.

In step 604, access information recognizable by the security system maybe steganographically encoded into the picture, thereby generating anencoded image. A wide range of steganographic techniques may be used toencode the information as discussed above. The one or more accessrestrictions may also be encoded into the encoded image. As discussedabove, in some embodiments the encoded image may be generated at asecurity backend or steganographic platform. In other embodiments, theencoded image may be generated by the authorized computing device.

In step 606, the encoded image may be transmitted to the guest device.In some embodiments, a security backend or steganographic platform maytransmit the encoded image to the guest device. In other embodiments,the authorized device may transmit the encoded image to the guestdevice. As discussed above, the encoded image may be transmitted usingany suitable protocol for providing the encoded image to the guestcomputing device, such as SMS messaging, MMS messaging, email, throughan application installed on the guest computing device, and the like.

In step 608, a display of the encoded image may be captured. Asdiscussed above, a user of the guest computing device may operate theguest computing device to display the encoded image. The user may orientthe guest computing device such that the display of the encoded imagemay be captured by, for example, a security camera associated with thesecurity system at the secured location.

In step 610, the security system and/or security backend may recognizethe access information embedded in the displayed encoded image ascaptured in step 608. The access information may be extracted from theencoded image based on the steganographic techniques used to encode theaccess information.

In step 612, the security system and/or security backend may determinewhether access conditions are met. For example, the security systemand/or security backend may determine whether the access informationmatches known and/or expected access information for the securedlocation. Further, the security system and/or security backend maydetermine whether one or more access restrictions associated with theaccess information or encoded in the encoded image are satisfied.

In step 614, the home security system may capture identifyinginformation about the guest user. For example, the home security systemmay capture a picture of the guest user's face, a fingerprint of theguest user, or any other suitable identifying information. In someembodiments, the home security system may capture an identifierassociated with the guest device and confirm that the identifier isassociated with the access information.

In step 616, the home security system may grant the guest user access tothe secure location. For example, the home security system may unlock adoor at which the encoded image was presented.

FIGS. 5 and 6 illustrate techniques applied to images. However, thetechniques described herein may be applied to any type of media filesuch as video, sound, documents, and the like. FIG. 7 illustrates howthe techniques described herein may be used with any type of media file.

FIG. 7 illustrates an example method performed in a system such as thesystem 400 illustrated in FIG. 4. An authorizing user of an authorizedcomputing device may request the generation of an encoded media filewhich may be used to provide a guest user of a guest computing devicewith access to a secured location protected by a security system.

In step 702, the authorizing user may provide a base media file that maybe received by a device, such as an authorizing device 510 and/orsteganographic platform 520 as illustrated in FIG. 5, and used as a basemedia to generate the encoded media file. The user may also select oneor more access restrictions to associate with the encoded media file.

In step 704, access information recognizable by the security system maybe steganographically encoded into the base media file, therebygenerating an encoded media file. A wide range of steganographictechniques may be used similar to those used to encode the informationin the encoded image as discussed above. For example, where the basemedia file is a sound file, the steganographic techniques may involveencoding the access information in the sound file by modifying the tonesor volume of the sound. Such a modification may be difficult for a humanto recognize but may be easily recognized by a computing deviceprogrammed to identify the difference. Similarly, a video file may bemodified such that a color or brightness in a frame or section ischanged, and the data may be encoded as part of a series of imagesmaking up the video. The encoded data may, in some embodiments, beencoded across the series of frames and could be extracted from apresentation of the video. Additionally, one or more access restrictionsmay also be encoded into the encoded media file. In some embodiments theencoded media file may be generated at a security backend orsteganographic platform, similar to the encoded image discussed above.In other embodiments, the encoded media file may be generated by theauthorized computing device.

In step 706, the encoded media file may be transmitted to the guestdevice. In some embodiments, a security backend or steganographicplatform may transmit the encoded media file to the guest device. Inother embodiments, the authorized device may transmit the encoded mediafile to the guest device. As discussed above, the encoded media file maybe transmitted using any suitable protocol for providing the encodedmedia file to the guest computing device, such as SMS text messaging,MMS messaging, email, through an application installed on the guestcomputing device, and the like.

In step 708, a presentation of the encoded media file may be captured.Similar to the display of the encoded image above, a user of the guestcomputing device may operate the guest computing device to present theencoded media file. The user may orient the guest computing device suchthat the presentation of the encoded media file may be captured by amonitoring device associated with the security system at the securedlocation. For example, the monitoring device may be a microphoneconfigured to capture a presentation of an encoded sound file. Asanother example, the monitoring device may be a video camera configuredto capture a presentation of an encoded video file.

In step 710, a security system and/or security backend associated withthe monitoring device may recognize the encoded access informationand/or access restrictions in the encoded media file. Similar to theencoded image discussed above, the security system and/or securitybackend may extract the encoded information based on the steganographicencoding techniques used in step 704.

In step 712, the security system may grant the guest user access to thesecured location based on recognizing the access information encoded inthe encoded media file in step 710.

As a result of the processes illustrated in FIGS. 6 and 7, a guest usermay be provided with access to a secured location based on an encodedimage or media file generated by an authorized user. The methodillustrated, for example, in FIGS. 6 and 7 may provide increasedflexibility and ease in providing guests access to a secured locationsuch as a residence or business.

Although example embodiments are described above, the various featuresand steps may be combined, divided, omitted, rearranged, revised and/oraugmented in any desired manner, depending on the specific outcomeand/or application. Various alterations, modifications, and improvementswill readily occur to those skilled in art. Such alterations,modifications, and improvements as are made obvious by this disclosureare intended to be part of this description though not expressly statedherein, and are intended to be within the spirit and scope of thedisclosure. Accordingly, the foregoing description is by way of exampleonly, and not limiting. This patent is limited only as defined in thefollowing claims and equivalents thereto.

1. A method comprising: generating, by a computing device and based on abase media file associated with the computing device, an encoded mediafile that comprises steganographically concealed access information foraccessing a premises; and sending, to a user device, the encoded mediafile to facilitate access to the premises.
 2. The method of claim 1,wherein the computing device is a mobile device associated with thepremises.
 3. The method of claim 1, further comprising: determining,prior to the generating, that the base media file is suitable to beencoded with the access information, based on at least one of: a timeassociated with the base media file, an amount of entropy or randomnessin the base media file, content of the base media file, a location wherethe base media file was captured, a device that captured the base mediafile, or previous usage of the base media file.
 4. The method of claim1, wherein the generating comprises generating the encoded media file bysteganographically encoding the base media file with first accessinformation in a first portion of the base media file and second accessinformation in a second portion of the base media file, wherein thefirst portion is different from the second portion.
 5. The method ofclaim 1, further comprising: selecting the base media file from a photoalbum associated with the computing device.
 6. The method of claim 1,wherein the generating comprises generating the encoded media file byadjusting at least one attribute of the base media file tosteganographically conceal the access information.
 7. The method ofclaim 1, further comprising: receiving, from the user device, a requestto obtain access to the premises, wherein the request comprises theencoded media file; and granting, based on a comparison of the accessinformation in the encoded media file and known access information, theaccess to the premises.
 8. An apparatus comprising: one or moreprocessors; and memory storing instructions that, when executed by theone or more processors, cause the apparatus to: generate, based on abase media file associated with the apparatus, an encoded media filethat comprises steganographically concealed access information foraccessing a premises; and send, to a user device, the encoded media fileto facilitate access to the premises.
 9. The apparatus of claim 8,wherein the apparatus is a mobile device associated with the premises.10. The apparatus of claim 8, wherein the instructions, when executed bythe one or more processors, cause the apparatus to: determine, prior togenerating the encoded media file, that the base media file is suitableto be encoded with the access information, based on at least one of: atime associated with the base media file, an amount of entropy orrandomness in the base media file, content of the base media file, alocation where the base media file was captured, a device that capturedthe base media file, or previous usage of the base media file.
 11. Theapparatus of claim 8, wherein the instructions, when executed by the oneor more processors, cause the apparatus to generate the encoded mediafile by steganographically encoding the base media file with firstaccess information in a first portion of the base media file and secondaccess information in a second portion of the base media file, andwherein the first portion is different from the second portion.
 12. Theapparatus of claim 8, wherein the instructions, when executed by the oneor more processors, cause the apparatus to: select the base media filefrom a photo album associated with the apparatus.
 13. The apparatus ofclaim 8, wherein the instructions, when executed by the one or moreprocessors, cause the apparatus to generate the encoded media file byadjusting at least one attribute of the base media file tosteganographically conceal the access information.
 14. The apparatus ofclaim 8, wherein the instructions, when executed by the one or moreprocessors, cause the apparatus to: receive, from the user device, arequest to obtain access to the premises, wherein the request comprisesthe encoded media file; and grant, based on a comparison of the accessinformation in the encoded media file and known access information, theaccess to the premises.
 15. A non-transitory computer-readable mediumstoring instructions that, when executed, cause a computing device to:generate, based on a base media file associated with the computingdevice, an encoded media file that comprises steganographicallyconcealed access information for accessing a premises; and send, to auser device, the encoded media file to facilitate access to thepremises.
 16. The non-transitory computer-readable medium of claim 15,wherein the computing device is a mobile device associated with thepremises.
 17. The non-transitory computer-readable medium of claim 15,wherein the instructions, when executed, cause the computing device to:determine, prior to generating encoded media file, that the base mediafile is suitable to be encoded with the access information, based on atleast one of: a time associated with the base media file, an amount ofentropy or randomness in the base media file, content of the base mediafile, a location where the base media file was captured, a device thatcaptured the base media file, or previous usage of the base media file.18. The non-transitory computer-readable medium of claim 15, wherein theinstructions, when executed, cause the computing device to generate theencoded media file by steganographically encoding the base media filewith first access information in a first portion of the base media fileand second access information in a second portion of the base mediafile, and wherein the first portion is different from the secondportion.
 19. The non-transitory computer-readable medium of claim 15,wherein the instructions, when executed, cause the computing device to:select the base media file from a photo album associated with thecomputing device.
 20. The non-transitory computer-readable medium ofclaim 15, wherein the instructions, when executed, cause the computingdevice to generate the encoded media file by adjusting at least oneattribute of the base media file to steganographically conceal theaccess information.
 21. The non-transitory computer-readable medium ofclaim 15, wherein the instructions, when executed, cause the computingdevice to: receive, from the user device, a request to obtain access tothe premises, wherein the request comprises the encoded media file; andgrant, based on a comparison of the access information in the encodedmedia file and known access information, the access to the premises.